Monday, July 25, 2011

Solutions: The Hex Factor v2010 (B200)

For the second challenge in the pwned category we need to attack a workstation on which a user is browsing some random websites.

Before we start the description of the attack there are some things you should know. The target is located at 192.168.1.8 and my machine has the .9 IP in the same range.

The objective is to gain administrative privileges on the target and execute a binary that gives you points for the game.

You can either read the text or view the video posted below. If anything is unclear regarding the provided solution, don't hesitate to either drop an e-mail or to leave a comment on the blog.
As we already know the IP address of the target, we start by port scanning the target with NMAP. As we don’t need to be silent or non-intrusive we’ll just throw in everything NMAP has with the –A option (this includes service detection and the Nmap scripting engine for the top 1000 TCP ports as we didn’t specify any specific ports).

We notice that only port 139 appears to be open.

Let’s try and see what kind of traffic is send and received by the machine, using Ettercap (ofcourse we use the 1337 the graphical interface ;)).

By performing an ARP cache poison attack, we intercept all non-local traffic that is send and received by our target by spoofing the local gateway.

It seems like our target is surfing to several websites, using a very old version of Mozilla Firefox (Firefox 1.0.3). After a bit of research this version appears to be vulnerable to a buffer overflow that allows an attacker to execute remote code on the system. Let's fire up Metasploit :-)

With this setup Metasploit wil create a webserver hosting a meterpreter. As soon a client connects to the webserver it tries to exploit the browser using the Mozilla 1.0.3 exploit. So… now we only need to find a way to trick the target into connecting to this website so we can launch the exploit. A simple DNS spoof of Ettercap should do the trick!

In order to properly start the DNS spoofing with Ettercap you need to edit the following file:
/usr/share/ettercap/etter.dns and add the following rule

* A < yourip > < / yourip >;

This will intercept all DNS requests (*) and redirect them to your IP. If you want to be less intrusive you can add a specific website on the * location, e.g.:

www.thehexfactor.org A < yourip > < / yourip >;

If you got it configured correctly, the Ettercap output should look something like this:

When a client now performs a DNS request, he will be redirected to our machine and the exploit will be executed.

Ok that seemed to work quite well. The next step is to escalate to system privileges. Metasploit has some built in functions available for doing this trick. With the getsystem command it tries 4 different methods (including the “new” Kitrap0d method) to gain additional privileges.

Success! We have system privileges on our target, job well done :-)

Thanks for reading this short blog post. Please support the hex factor by twitting or blogging about this awesome project!